header-logo
Suggest Exploit
vendor:
QuickTime
by:
Yag Kohha
7.5
CVSS
HIGH
Remote stack rewrite exploit
Not provided
CWE
Product Name: QuickTime
Affected Version From: QuickTime 7.2
Affected Version To: QuickTime 7.3
Patch Exists: NO
Related CWE: Not provided
CPE: Not provided
Metasploit:
Other Scripts:
Platforms Tested: Windows Vista, Windows XP SP2 with IE 6.0/7.0 and QuickTime 7.2/7.3
2007

QuickTime RTSP Response Content-type remote stack rewrite exploit for IE 6/7

This exploit targets a vulnerability in QuickTime that allows remote attackers to rewrite the stack and execute arbitrary code on systems running Internet Explorer 6 or 7. It involves sending a specially crafted RTSP response with a manipulated Content-type header. The exploit has been tested on Windows Vista and Windows XP SP2 with IE 6.0/7.0 and QuickTime 7.2/7.3.

Mitigation:

Upgrade to a newer version of QuickTime and Internet Explorer. Disable QuickTime plugin in the browser if not required.
Source

Exploit-DB raw data:

      ___             Everyone Loves
    O|0_+|O           the Hypnotoad...
     |...|
      | |
=o0O=====O0o===============================
| QuickTime RTSP Response Content-type    |
| remote stack rewrite exploit for IE 6/7 |
| by Yag Kohha (skyhole [at] gmail.com)   |
===========================================
			      
Exploit tested on:
 - Windows Vista
 - Windows XP SP2
 - IE 6.0/ 7.0
 - QT 7.2/ 7.3

Exploit requirements:
 Target: Windows Vista/ XP SP2 , IE 6.0/7.0, QT 7.2/7.3
 Server: Linux, Perl, Apache web- server

Whats inside:
 index.html 	- hypertext document with heap spray javascript and QT plugin call with playlist.mov (place to public web-folder)
 server 	- rtsp- server emulator (run in your linux shell in background mode "./server&")
 playlist.mov 	- play list with rtsp server link (edit "_server_emulator_ip" with address of rtsp-server emulator started and place to public web-folder)
Try to load index.html in your browser from remote web- server with installed exploit.

Greetz 2:
    - str0ke & milw0rm
    - shinnai
    - h07 for bug publication
    - muts & InTel for code play'ng ( but guyz, U`rs releases coded with SEH overwrite... It's so many problems
				    with shellcode modification and stable exploitation on different systems...
				    for whats? 
				    We can overwrite EIP with buffer generation like 65535 bytes. In this release EIP -> 0x0c0c0c0c )

Fuckz 2:
    - wslabi.com (too stupid resource for selling shit)
    - ICEPACK and MPACK coderz (Fucking javascript kidd0z and code thiefz)

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4664.tar.gz (11272007-qt_public.tar.gz)

# milw0rm.com [2007-11-27]

Navigation

Suggest Exploit

Services By CQR